The question now is whether defenses can keep pace with tools built to improve faster than humans.
When Anthropic published a blog post last Wednesday warning that its newest AI model had crossed a threshold most security experts had long dreaded, the reaction in the upper floors of global finance was immediate. Goldman Sachs chief executive David Solomon, speaking to analysts on an earnings call Monday, said the bank was "hyper-aware" of what the model — called Mythos — could do, and that Goldman was already working closely with Anthropic to manage the risks it introduced.
Mythos is the latest in Anthropic's Claude family of AI tools, and the company's own characterization of it was striking in its candor. In that Wednesday post, Anthropic wrote that AI models had now reached a level of coding capability where they could outperform all but the most elite human hackers at locating and exploiting weaknesses in software systems. The potential consequences, the company said, extended to economies, public safety, and national security.
Solomon confirmed that Goldman not only knows about Mythos — the bank has the model in hand. He told analysts the firm was working with Anthropic and its broader roster of security vendors to harness what he called frontier capabilities wherever possible, while simultaneously accelerating investment in cyber and infrastructure resilience. The language was measured, but the urgency beneath it was plain.
The stakes are high enough that the conversation has moved well beyond any single bank. Last week, US Treasury Secretary Scott Bessent summoned Solomon and the heads of other major American financial institutions to Washington specifically to discuss the Mythos model. The meeting was limited to chiefs of so-called systemically important banks — institutions whose disruption or collapse regulators believe could destabilize the broader financial system. That the Treasury convened such a gathering over a single AI model signals how seriously the threat is being taken at the highest levels of government.
The concern is not abstract. On Monday, the UK government's AI Security Institute published its own assessment, describing Mythos as a meaningful step up from previous models in terms of the cyber threat it represents. The institute found that Mythos could carry out multi-step attacks and identify vulnerabilities in IT systems without any human guidance — tasks that would ordinarily take trained security professionals days to complete. In a 32-step simulated cyberattack designed by the institute, Mythos became the first AI model to successfully complete the challenge, doing so in three out of ten attempts.
The institute was careful about the limits of its findings. It said Mythos appears capable of autonomously compromising small, lightly defended systems, but stopped short of concluding it could breach well-hardened infrastructure — partly because the tests themselves lacked the kind of defensive tools that real-world targets would deploy. Still, the institute's closing note carried weight: future models will only improve on what Mythos can do, making investment in cyber defense urgent rather than optional.
In the United Kingdom, the regulatory machinery is already moving. The Cross Market Operational Resilience Group — a body that brings together bank chief executives alongside officials from the Treasury, the Bank of England, the Financial Conduct Authority, and the National Cyber Security Centre — is expected to convene within the next two weeks to address the Mythos threat directly with British bank bosses and government officials. The Bank of England, which handles communications for the group, declined to comment.
What the Mythos moment clarifies is that the cybersecurity conversation in finance has shifted from the theoretical to the operational. The question is no longer whether AI will eventually be capable of sophisticated attacks on critical systems — it already is, at least against softer targets. The question now is how quickly the institutions that underpin the global economy can build defenses that keep pace with tools that are, by design, improving faster than the humans trying to contain them.
Notable Quotes
AI models have reached a level of coding capability where they can surpass all but the most skilled humans at finding and exploiting software vulnerabilities. The fallout — for economies, public safety, and national security — could be severe.— Anthropic, in a blog post published Wednesday
We are very focused on supplementing our cyber and infrastructure resilience — this is part of our ongoing capabilities that we have been investing in, and are accelerating our investment in.— David Solomon, Goldman Sachs CEO, on an earnings call Monday
The Hearth Conversation Another angle on the story
What makes Mythos different from previous AI models that have raised security concerns?
It's the autonomy. Earlier models needed significant human guidance to move through a multi-step attack. Mythos can identify vulnerabilities and chain actions together on its own — the kind of work that used to take a skilled professional days.
And it actually completed a simulated cyberattack?
Yes — a 32-step simulation designed by the UK's AI Security Institute. It solved the challenge in three out of ten attempts. That's the first time any AI model has managed it.
Why does it matter that Goldman Sachs specifically has the model?
Because Goldman is one of the institutions regulators consider systemically important. If its infrastructure were compromised, the ripple effects through the financial system could be severe. The fact that they're running Mythos internally suggests they're trying to understand the threat from the inside.
Is there something uncomfortable about a bank holding a tool that's been flagged as an unprecedented security risk?
That tension is real. But the logic is that you need to understand a weapon to defend against it. Solomon's framing was about harnessing frontier capabilities — using Mythos to stress-test their own defenses before someone else does.
What does it mean that the US Treasury summoned bank chiefs specifically over this?
It means the threat has been elevated to the level of systemic financial risk, not just IT risk. Bessent didn't call in the heads of systemically important banks to discuss a software patch. That's a geopolitical and economic stability conversation.
The UK's AI Security Institute said it couldn't confirm Mythos could attack well-defended systems. Doesn't that soften the alarm?
Somewhat — but the institute was also honest that its tests lacked real defensive tools. The uncertainty cuts both ways. And the closing warning was explicit: future models will surpass Mythos, so the window for building adequate defenses is now, not later.
What should we be watching for in the next few weeks?
That UK regulatory meeting — the Cross Market Operational Resilience Group — is the next concrete moment. When central bankers, financial regulators, and bank chiefs sit in the same room to talk about a single AI model, whatever comes out of that conversation will shape how the industry responds.